Skip to main content

Using the AES-GMAC Algorithm with the Cryptographic Message Syntax (CMS)
RFC 9044

Yes

Roman Danyliw

No Objection

Alvaro Retana
Erik Kline
Martin Duke
Murray Kucherawy
Éric Vyncke
(Alissa Cooper)
(Barry Leiba)
(Deborah Brungard)
(Martin Vigoureux)

Note: This ballot was opened for revision 03 and is now closed.

Roman Danyliw Yes

Alvaro Retana No Objection

Erik Kline No Objection

Martin Duke No Objection

Murray Kucherawy No Objection

Robert Wilton No Objection

Comment (2021-02-23 for -03)
Easy to read and understand.  Thank you.

Warren Kumari No Objection

Comment (2021-02-25 for -03)
Thank you - even I understood some of it :-)

Éric Vyncke No Objection

(Alissa Cooper; former steering group member) No Objection

No Objection (for -03)

                            

(Barry Leiba; former steering group member) No Objection

No Objection (for -03)

                            

(Benjamin Kaduk; former steering group member) No Objection

No Objection (2021-02-23 for -03)
Section 7

   Implementers should be aware that cryptographic algorithms become
   weaker with time.  As new cryptanalysis techniques are developed and
   computing performance improves, the work factor to break a particular
   cryptographic algorithm will reduce.  Therefore, cryptographic
   algorithm implementations should be modular allowing new algorithms
   to be readily inserted.  That is, implementers should be prepared to
   regularly update the set of algorithms in their implementations.

I think that BCP 201 is a good reference for further reading here.

Section 8.2

If we're importing ASN.1 bits from RFC 5912, doesn't that make it a
normative reference?

(Deborah Brungard; former steering group member) No Objection

No Objection (for -03)

                            

(Magnus Westerlund; former steering group member) No Objection

No Objection (2021-02-25 for -03)
Should there be any comments in the security consideration section about the security implications of using 96-bit truncated tags? 

I know that shorter tags have significant vulnerabilities against forgery attempts where successful forgery can be detected. John Mattsson and I wrote a paper identifying why shorter tags would be very bad in SRTP in 2015. https://eprint.iacr.org/2015/477.pdf

I guess the possibility to figure out if CMS forgery attempts are successful depends on what the CMS is used for.

(Martin Vigoureux; former steering group member) No Objection

No Objection (for -03)